Archives for June 2015

S4x15 came on the heals of the attack on Sony. Everyone was discussing how cyber attack attribution can be done and the level of certainty that is possible, so we had a panel to discuss this very issue.

The second part of the panel discussed what does the victim due after they have attributed an attack to a nation or organization —retribution.

The panel included Bill Hagestad of Red Dragon Rising, Jonathan Pollet of Red Tiger, and Tim Yardley of University of Illinois.

There is a ‘talk franchise’ that has started titled ‘Switches Get Stitches.’ Started by Eireann Leverett and Colin Cassidy, it showcases problems in industrial network switch hardware and firmware. Digital Bond Labs offers a humble contribution to the cause: a demonstration of a firmware rootkit for an (admittedly somewhat dated) industrial switch. If you are attending Defcon 23, be sure to check out the ‘official’ SGS talk there.

One of the components in this year’s ICS Village CTF is going to be pretty unique: we have modified a network switch firmware. This ends up giving a lot of interesting leeway: we can now mangle packets, talk to a command and control server, and make a few other interesting flags for participants to find.

Most ICS equipment lacks any kind of firmware protection. Scarier is the fact that some operators, including a very small subset of utility operators, purchase safety-critical equipment from dubious sources such as eBay.

So, let’s take apart a network switch and show just how easy it is to trojan a device!

ESCAR was an interesting event. There were about 150 in attendance from various parts of the auto cybersecurity community including OEMs, tier 1 vendors, and defense products. There were speakers on a variety of good topics, the full lineup is available at https://www.escar.info/escar-usa/program.html. Being an “outsider” to the auto security community I really enjoyed the opportunity to meet people and have some interesting discussions.

The opening keynote by Alex Halderman of U of Michigan was highly interesting regarding the all-too-common re-use of keys or predictable keys that are prevalent in embedded systems due to a common starting point. Relevant information that will hopefully sink in and be of use in the future as more devices are incorporating encryption, but as of now those devices are rare (in both the auto industry and ICS).

“Methods for Penetration Testing of Automotive Embedded Systems” presented by Argus was a good primer in security analysis for these types of systems. A few talks discussed handling the increasing connectivity in vehicles moving forward and how to best separate the concerns of interactive vehicle features affecting safety and operational control systems. I feel like this is the most important area to be considered at the moment for the industry.

Vendors at the conference seem to be focusing on IDS/IPS for vehicle systems. The idea being that installing extra equipment to monitor the CANBus to identify messages that occur when they should not and to prevent those messages from reaching the ECU. This requires keeping a knowledgeable running state of the vehicle to determine if the “steering wheel left park assist” action is correct at a given time. Some vendors seem to do this via software on existing vehicles and others via entirely separate sensor systems to be installed aftermarket. I think this is a *VERY* difficult problem to solve (having worked in the situational awareness space previously) and is a common issue that people attempt to band-aid over in cybersecurity.

Shodan is a really useful tool for, well, all sorts of research. Not only can you quickly determine what the public-facing security impact of a new vulnerability is going to be, you can find all sorts of control systems attached to the Internet that shouldn’t be. Searching for random control-systems related terms sometimes even steers a researchers towards new and interesting equipment to test.

John Matherly, who runs Shodan, is constantly tweaking settings and adding features (and new scan types) to help the security community. [On a personal level I can’t thank him enough for teaching me all of the tricks that I’m writing about here].

Two of the recent changes made ended up being really helpful for finding some of the most vulnerable ICS systems: telnet options searching and bannerless telnet searching. The latter of these is only available to folks who pay for API access, but it opens up some rather interesting critical infrastructure to locatability.

Way back in 2012 we did Project Basecamp. The ‘Biggest Loser’ of Project Basecamp, purely on the number of red ‘X’ security failures, was General Electric’s D20ME RTU. (I should mention that GE has made strides in improving the line with the release of their D20MX, but the D20ME line will remain forever vulnerable). Back then, I really wanted to be able to search for the D20 on Shodan but couldn’t. This was because the D20 only supports Telnet, and it supports it in a way that Shodan didn’t support. Until now.

After a long and successful struggle to bring an industrial firewall to market, Eric Byres is leaving Belden and Tofino behind. We shouldn’t call it retirement because I expect that Eric will be contributing in a number of different ways in the next ten years.

I gave Eric a few months to clear his head and then talked with him for this episode of the Unsolicited Response Podcast.

The first 16 minutes of the episode are a retrospective of Tofino. What features were surprisingly effective, what were the biggest challenges and dark times, when will we see Tofino on a chip and more.

After that we talk about bigger questions on the ICSsec community, Eric’s home automation and what he may do next.

I enjoyed last week in Detroit at ESCAR (Embedded Security in Cars). I went there to present on the topic of vehicle security and how remote access and third party devices impact the threat landscape. Many researchers have published about the security concerns of vehicle systems, namely the CANBus and it’s simple nature that lacks security controls entirely. It has been shown that if an attacker is able to send messages on the CAN, they are able to control the vehicle.

I performed a security assessment of a third party OBDII dongle. This dongle sits in the diagnostics port of the vehicle (which is on the CAN), collects information, and sends that information through the cellular networks to the third-party servers. I found that this device follows the pattern we see in embedded systems which is to say that it was designed and created without any security in mind whatsoever. Cleartext communication channels, no hardware separation of concerns, hardcoded database credentials…the list goes on.

What this means for auto manufacturers is that it cannot be assumed that the vehicle CAN will be isolated. An attacker may not need physical access to a vehicle to execute an attack. Attacks are no longer limited to a single vehicle and may affect entire fleets managed by these types of systems. Defending against these attack vectors requires a separation that prevents a compromised dongle from affecting the vehicle in any way whatsoever. I created a proof-of-concept “CAN Protector.” This device acts as a gateway that propagates information out of the vehicle network (one-way/read-only) for consumption by third party devices.

We are pleased to announce a return to Tokyo for the S4xJapan event on Friday, November 6th.

S4xJapan will be held again at Academy Hills on the 49th Floor of the Roppongi Hills Mori Building. There will be a fun and novel social event (last year was the Kaspersky KIPS game for the first time in Japanese) with food and drink after the days sessions complete. And then you will be close to the Tokyo nightlife on a Friday night to have some fun with old and new friends in the ICS security community.

The event will be a very full one-day that will cover ICS security, Operations Technology (OT), ICS cyber weapons and related topics.

We are looking for sessions in both English and Japanese (simultaneous translation will be provided).

If you have a session you would like to present or know of a speaker or topic we should chase, send us an email at S4@digitalbond.com.

We will welcome some presentations from overseas experts with new information and techniques. If this is you, please note that PACSEC JP is the following Wednesday and Thursday so you can potentially speak at two events and enjoy some time in Tokyo.

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.